Solved: ACL question

shadowman724 · ‎09-27-2006

hi,

i have one ACL applied on a router interface

will a traffic in the opposite direction and matching the statements be allowed to pass?

what if it does not match them?

example:

router(config)#access-list 111 deny tcp any any eq 23

router(config)#access-list 111 permit ip any any

router(config)#interf serial 0

router(config-if)#ip access-group 111 in

router#

ajagadee · ‎09-29-2006

Wassim,

Lets approach your configuration line by line.

"access-list 111 deny tcp any any eq 23"

Based on the above configuration, you are denying any traffic coming into Serial 0 with any TCP Source Port and Destined to TCP Port 23.

"access-list 111 permit ip any any"

Based on the above configuration, you are permitting all IP traffic from any source to any destination.

interf serial 0

ip access-group 111 in

The access-group is applied on the inside of Serial 0, meaning any traffic coming into Serial 0.

So, Any traffic going out Serial 0, the "access-group 111 in" is not referenced since the access-group is not applied outbound.When the return traffic comes into Serial 0, "access-group 111 in" is referred since it is applied inbound.

To anwer your specific question, if a telnet traffic goes outside from Serial 0, the "access-group 111 in" is not referenced. When the return traffic comes back into Serial 0, the access-group is referred. And since you have "access-list 111 permit ip any any" in your access-list statement, the return traffic will be permitted.

Dont get confused with the access-list statement that says "access-list 111 deny tcp any any eq 23". This is only for telnet traffic initiated from the outside. Any TCP Source Port destined to telnet (Port 23).

In your case, if telnet from Serial 0, the return traffic will have a source port of 23 (Telnet) and destination port of whatever you initiated with. So, it will match the second statement of your Access-list entry and be permitted.

For example:

Look at the debugs from R2 when we telnet from R1 E0/0 (10.1.1.1) to R2 E0/0(10.1.1.2).

*Sep 29 16:56:30.647: IP: tableid=0, s=10.1.1.1 (Ethernet0/0), d=10.1.1.2 (Ether

net0/0), routed via RIB

*Sep 29 16:56:30.647: IP: s=10.1.1.1 (Ethernet0/0), d=10.1.1.2 (Ethernet0/0), le

n 44, rcvd 3

*Sep 29 16:56:30.647: TCP src=61224, dst=23, seq=4205704356, ack=0, win=4128

SYN

*Sep 29 16:56:30.647: IP: tableid=0, s=10.1.1.2 (local), d=10.1.1.1 (Ethernet0/0

), routed via RIB

*Sep 29 16:56:30.647: IP: s=10.1.1.2 (local), d=10.1.1.1 (Ethernet0/0), len 44,

sending

*Sep 29 16:56:30.647: TCP src=23, dst=61224, seq=2269647429, ack=4205704357,

win=4128 ACK SYN

Let me know if it helps.

Regards,

Arul

View solution in original post

ankbhasi · ‎09-27-2006

Hi Shadow,

ACL will only become active for incoming packtes as the access group is applied in "in" direction and not in reverse direction packet.

So any packtes hitting into the serial interface and if matched ACL will take the action but for any traffic moving out from the serial interface ACL will have n affect even if the condtion matches.

HTH

Ankur

gpulos · ‎09-27-2006

NO,

traffic in the other direction will not be submitted to the ACL.

therefore two things occur:

1) there is no MATCH with the ACL since it is not queried

2) all outbound traffic will be forwarded and not restricted by the ACL

your access-list as shown above should deny all TELNET traffic coming inbound to the SERIAL 0 interface, while allowing all other traffic inbound.

there are no outbound restrictions from what you've shown.

please see the following link for more info:

http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186a0080716eba.html#wp1063324

shadowman724 · ‎09-29-2006

i understood this:

il a telnet traffic is going out serial 0, it will be allowed although it matches the first statement of the ACL. is that right?

ajagadee · ‎09-29-2006